How to set up your FortiWeb : Planning the network topology : External load balancers: before or after?
 
External load balancers: before or after?
Usually you should deploy FortiWeb in front of your load balancer (such as FortiBalancer, FortiADC, or any other device that applies source NAT), so that FortiWeb is between the load balancer and the clients. This has important effects:
Simplified configuration
Unscanned traffic will not reach your load balancer, improving its performance and security
At the IP layer, from FortiWeb’s perspective, HTTP requests will correctly appear to originate from the real client’s IP address, not (due to SNAT) your load balancer
Otherwise, attackers’ and legitimate clients’ IP addresses may be hidden by the load balancer.
 
Alternatively, depending on the features that you require, you may be able to use FortiWeb’s built-in load balancing features instead. See “Load Balancing Algorithm”.
Figure 10: Example network topology: Load balancer after FortiWeb
Figure 11: Example network topology: Load balancer before FortiWeb, no X-headers (misconfiguration)
To prevent that, you must configure your devices to compensate for that topology if FortiWeb is behind your load balancer:
Configure your load balancer so that it does not multiplex HTTP requests from multiple different clients into each TCP connection with FortiWeb.
FortiWeb often applies blocking at the TCP/IP connection level, which could result in blocking innocent HTTP requests if the load balancer is transmitting them within the same TCP connection as an attack. It could therefore appear to cause intermittent failed requests.
Configure your load balancer to insert or append to an X-Forwarded-For:, X-Real-IP:, or other HTTP X-header. Also configure FortiWeb to find the original attacker’s or client’s IP address in that HTTP header, not in the IP session (see “Defining your proxies, clients, & X-headers”).
 
Some features do not support using client IPs found in the X-header. See “Defining your proxies, clients, & X-headers”.
Figure 12: Example network topology: Load balancer before FortiWeb with X-headers
Do not set any Action to Period Block if the load balancer, or any other device in front of FortiWeb, applies SNAT unless you have configured blocking based upon HTTP X-headers. Period blocking based upon the source IP address at the IP layer will cause innocent requests forwarded by the SNAT device after an attack to be blocked until the blocking period expires. It could therefore appear to cause intermittent service outages.